- 1. Update Your System
- 2. Install
openssh-server
- 3. Verify SSH Service and Configuration
- 4. Creating a User for SFTP Access
- 5. Firewall Considerations (Information Only)
- 6. Ensure SSH Service is Enabled to Start on Boot
- Finding Your Server’s IP Address
- Get Information of the SFTP Server
- Connect Local Devices to the Debian SFTP Server
- Advanced Backup Tip: Using
rsync
for Efficiency - Security Best Practices for SFTP
- Troubleshooting Common SFTP Issues
This guide will walk you through setting up an SFTP (SSH File Transfer Protocol) server on your Debian Bullseye system, specifically tailored for an arm64 Rockchip rk3588 machine. The goal is to enable efficient and secure file transfers from local devices (like iPhones, Android phones, laptops) to your Debian machine for backup purposes.
We will use openssh-sftp-server
, which is a component of the openssh-server
package. Installing openssh-server
from the Debian repositories will provide a modern and secure version of the SFTP server (typically OpenSSH 8.x on Bullseye; the “10” sometimes mentioned in discussions usually refers to a desire for a modern version rather than a specific package name). This guide assumes there is no active firewall on the Debian host machine.
While this guide uses standard Debian procedures applicable to any arm64 system, the RK3588 is a capable SoC. For most SFTP backup tasks, performance should be adequate. If you encounter performance bottlenecks with extremely large files or high-frequency transfers, system-level tuning (e.g., I/O schedulers, network stack parameters) might be explored, but this is beyond the scope of this basic setup guide.
#1. Update Your System
Ensure your Debian system is up-to-date. Open a terminal and execute:
sudo apt-get update
sudo apt-get upgrade -y
#2. Install openssh-server
SFTP service is provided by openssh-server
. If it’s not already installed (Debian server editions usually include it), install it:
sudo apt-get install openssh-server -y
The sftp-server
executable is typically located at /usr/lib/openssh/sftp-server
and is configured as a subsystem in the SSH daemon configuration.
#3. Verify SSH Service and Configuration
The SSH service (sshd
) should start automatically after installation. You can check its status:
sudo systemctl status sshd
Or simply:
sudo systemctl status ssh
Ensure the SFTP subsystem is enabled in the SSH configuration file (/etc/ssh/sshd_config
). It usually is by default. Look for a line similar to this:
Subsystem sftp /usr/lib/openssh/sftp-server
If you need to modify /etc/ssh/sshd_config
(e.g., to change the port or apply security hardening), restart the SSH service afterwards:
sudo systemctl restart sshd
#4. Creating a User for SFTP Access
SFTP uses system users for authentication. It’s good practice to create a dedicated user for SFTP access, especially if you want to restrict their capabilities or jail them to a specific directory (chroot). For simple backup purposes to a user’s home directory, an existing user can also be used if preferred.
To create a new user (e.g., backupuser
) with a home directory and prevent shell login (SFTP access only):
sudo useradd -m backupuser -d /home/backupuser -s /usr/sbin/nologin
# Or, for a more restrictive shell that also allows SFTP:
# sudo useradd -m backupuser -d /home/backupuser -s /bin/false
sudo passwd backupuser # Set a strong password for this user
This user (backupuser
) will be able to log in via SFTP and will be initially placed in their home directory (/home/backupuser
). Files backed up will go here unless the client navigates elsewhere (permissions permitting).
Permissions for Backup Target: Ensure the user has write permissions to their backup target directory.
- Home Directory: The
-m
option withuseradd
creates the home directory (e.g.,/home/backupuser
) and sets basic ownership forbackupuser
. - Dedicated Backup Location (e.g., a mounted drive): If you prefer to back up to a different location like
/mnt/backups_volume/my_device_backups
, ensurebackupuser
has appropriate permissions:sudo mkdir -p /mnt/backups_volume/my_device_backups sudo chown backupuser:backupuser /mnt/backups_volume/my_device_backups sudo chmod 700 /mnt/backups_volume/my_device_backups # Gives backupuser full rwx, no access for others
You would then instruct the user or configure backup clients to use this specific path after SFTP login.
#5. Firewall Considerations (Information Only)
As per your requirements, this guide assumes no firewall is active on the host Debian machine.
If you were to enable a firewall (e.g., UFW) on the Debian machine at a later time, you would need to allow traffic on the SSH port (default is 22
):
# Example for UFW if it were active:
# sudo ufw allow 22/tcp
# sudo ufw reload
Since no host firewall is assumed for this guide, no action is needed here. Also, be aware of any firewalls on your router or other network devices if connecting from outside your immediate LAN.
#6. Ensure SSH Service is Enabled to Start on Boot
To ensure the SSH service starts automatically when your machine boots:
sudo systemctl enable sshd
# or
sudo systemctl enable ssh
The service is likely already enabled if it was installed as part of the system or via apt
.
#Finding Your Server’s IP Address
To connect to your SFTP server, you’ll need its IP address on your local network. On your Debian server terminal, you can find it using one of these commands:
hostname -I
# or
ip addr show
Look for an IP address associated with your network interface (e.g., eth0
, wlan0
), typically in a format like 192.168.x.x
or 10.x.x.x
.
#Get Information of the SFTP Server
This script helps gather relevant information about your openssh-server
and SFTP setup. Save it as a .sh
file, make it executable (chmod +x scriptname.sh
), and run it with sudo ./scriptname.sh
.
#!/bin/bash
# Script to gather and display OpenSSH SFTP server information on Debian Bullseye
echo "Gathering OpenSSH SFTP server information..."
echo "--------------------------------------------"
# --- General System & Service Info ---
IP_ADDRESSES=$(hostname -I 2>/dev/null | sed 's/ *$//g' || echo "IP addresses not found")
SSH_SERVICE_STATUS=$(systemctl is-active sshd 2>/dev/null || systemctl is-active ssh 2>/dev/null || echo "Status not determinable or service inactive")
PKG_VERSION=$(dpkg -s openssh-server 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "Package version not found")
echo -e "\n**General System & Service Info:**"
echo -e " System IP Addresses: $IP_ADDRESSES"
echo -e " OpenSSH Service Status (systemctl): $SSH_SERVICE_STATUS"
echo -e " OpenSSH Server Package Version (dpkg): $PKG_VERSION"
# --- SSH Configuration ---
SSHD_CONFIG_FILE="/etc/ssh/sshd_config"
echo -e "\n**SSH Configuration ($SSHD_CONFIG_FILE):**"
if [ -f "$SSHD_CONFIG_FILE" ]; then
PORT=$(grep -iE "^Port\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1)
[ -z "$PORT" ] && PORT="22 (default)"
echo -e " Listening Port (from config): $PORT"
SFTP_SUBSYSTEM=$(grep -iE "^Subsystem\s+sftp" "$SSHD_CONFIG_FILE" | tail -n 1)
if [ -n "$SFTP_SUBSYSTEM" ]; then
echo -e " SFTP Subsystem Config: $SFTP_SUBSYSTEM"
else
echo -e " SFTP Subsystem Config: Not explicitly found or commented out (sftp might still work via internal default)."
fi
PASSWORD_AUTH=$(grep -iE "^PasswordAuthentication\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1)
if [ -n "$PASSWORD_AUTH" ]; then
echo -e " Password Authentication: $PASSWORD_AUTH"
else
echo -e " Password Authentication: Not explicitly set (defaults to yes, unless overridden by other settings like PubkeyAuthentication only)."
fi
CHALLENGE_RESPONSE_AUTH=$(grep -iE "^ChallengeResponseAuthentication\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1)
if [ -n "$CHALLENGE_RESPONSE_AUTH" ]; then
echo -e " ChallengeResponseAuthentication: $CHALLENGE_RESPONSE_AUTH"
else
echo -e " ChallengeResponseAuthentication: Not explicitly set (defaults to yes, but behavior can depend on PAM)."
fi
USE_PAM=$(grep -iE "^UsePAM\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1)
if [ -n "$USE_PAM" ]; then
echo -e " UsePAM: $USE_PAM"
else
echo -e " UsePAM: Not explicitly set (defaults to yes on Debian)."
fi
else
echo " $SSHD_CONFIG_FILE not found."
fi
# --- Listening Ports (from ss) ---
echo -e "\n**Actual Listening Ports (from ss):**"
LISTENING_SSH_PORTS=$(ss -tlpn 2>/dev/null | grep 'sshd' | awk '{print $4}' | sed 's/.*://' | sort -u | tr '\n' ' ' | sed 's/ *$//g')
if [ -z "$LISTENING_SSH_PORTS" ]; then
LISTENING_SSH_PORTS="sshd process not found listening or ss command issue."
fi
echo -e " sshd listening on port(s): $LISTENING_SSH_PORTS"
# --- SFTP User Information (example 'backupuser') ---
SFTP_USER="backupuser" # Change if you used a different username
echo -e "\n**SFTP User Information (Example: '$SFTP_USER'):**"
if getent passwd "$SFTP_USER" >/dev/null 2>&1; then
FTPUSER_EXISTS_MSG="User '$SFTP_USER' exists."
FTPUSER_HOME_DIR=$(getent passwd "$SFTP_USER" | cut -d: -f6)
FTPUSER_SHELL=$(getent passwd "$SFTP_USER" | cut -d: -f7)
echo -e " Status of '$SFTP_USER': $FTPUSER_EXISTS_MSG"
echo -e " Home Directory for '$SFTP_USER': $FTPUSER_HOME_DIR"
echo -e " Shell for '$SFTP_USER': $FTPUSER_SHELL (Note: /usr/sbin/nologin or /bin/false is common for SFTP-only users)"
else
echo -e " User '$SFTP_USER' not found in /etc/passwd. (Create this user or use an existing one)."
fi
echo -e " Password for SFTP User: [This cannot be retrieved. Use the password you set for the system user '$SFTP_USER'.]"
echo "--------------------------------------------"
echo "Script finished."
echo "Note: For detailed logs, check 'sudo journalctl -u sshd' or '/var/log/auth.log'."
#Connect Local Devices to the Debian SFTP Server
The primary goal is to back up files from various devices. SFTP is widely supported. Many client operating systems also offer scripting capabilities (e.g., shell scripts with sftp
or rsync
on Linux/macOS, PowerShell on Windows) and some third-party backup applications on mobile/desktop can use SFTP as a target for scheduled backups.
General Connection Details You’ll Need:
- Host/Server IP Address: The IP address of your Debian rk3588 machine (see “Finding Your Server’s IP Address” above).
- Username: The user you created or designated for SFTP (e.g.,
backupuser
). - Password: The password for that user.
- Port:
22
(the default SSH/SFTP port, unless you changed it insshd_config
).
#1. Connecting from Windows using FileZilla
- Install FileZilla: Download and install the FileZilla Client if you haven’t already.
- Launch FileZilla.
- Quickconnect:
- Host: Enter your Debian server’s IP address (e.g.,
192.168.1.100
). - Username:
backupuser
(or your chosen username). - Password: The user’s password.
- Port:
22
. - Click Quickconnect. (Alternatively, for the Host field, you can type
sftp://192.168.1.100
; FileZilla will parse the protocol and host).
- Host: Enter your Debian server’s IP address (e.g.,
- Trust SSH Host Key: The first time you connect, FileZilla will show a warning about an unknown host key. This is normal. Verify the fingerprint if possible (advanced), or click OK or Trust to save the host key and continue.
- Transfer Files: Use the left pane (Local site) for your Windows files and the right pane (Remote site) for your Debian server. Drag and drop files/folders to the
backupuser
’s target backup directory on the server. - Using Site Manager (Recommended for frequent connections):
- Go to File > Site Manager.
- Click New Site, name it (e.g., “Debian Backup Server”).
- Protocol: Select
SFTP - SSH File Transfer Protocol
. - Host: Your Debian server’s IP.
- Port:
22
. - Logon Type:
Normal
. - User:
backupuser
. - Password: The user’s password (or choose “Ask for password” or set up key-based authentication).
- Click Connect.
#2. Connecting from macOS
- Finder:
- Open Finder.
- Go to Go > Connect to Server… (Cmd+K).
- In the Server Address field, type:
sftp://backupuser@YOUR_SERVER_IP_ADDRESS
(e.g.,sftp://backupuser@192.168.1.100
). - Click Connect. You’ll be prompted for the password.
- The SFTP location will mount like a regular drive.
- Terminal (Command Line
sftp
):sftp backupuser@YOUR_SERVER_IP_ADDRESS # Example: sftp backupuser@192.168.1.100
You’ll be prompted for the password. Use commands like
put local_file remote_file
,get remote_file local_file
,ls
,cd
, etc. - Third-party Apps: Cyberduck, Transmit, ForkLift are popular SFTP clients for macOS.
#3. Connecting from Linux Desktops
- File Manager: Most Linux desktop environments (GNOME, KDE, XFCE) allow connecting to SFTP shares directly from their file managers (e.g., Nautilus, Dolphin, Thunar). Look for “Connect to Server” or similar options in the file menu or sidebar, and use
sftp://backupuser@YOUR_SERVER_IP_ADDRESS
as the address. - Terminal (Command Line
sftp
): Same as macOS:sftp backupuser@YOUR_SERVER_IP_ADDRESS
#4. Connecting from iOS (iPhone/iPad)
You’ll need an app that supports SFTP. Some popular choices:
- Secure ShellFish (Recommended): A powerful SSH and SFTP client.
- Termius: Also offers SSH/SFTP capabilities.
- FE File Explorer: File Manager
- The built-in Files App can sometimes access SFTP locations if another app provides an SFTP extension.
In the chosen app, you’ll typically add a new server/connection and input the Host IP, username, password, and port (22).
#5. Connecting from Android
Many file manager apps on Android support SFTP, or you can get dedicated SFTP clients:
- Solid Explorer File Manager (has SFTP plugin/support).
- FX File Explorer (has SFTP support).
- MiXplorer (free, powerful, supports SFTP - often found outside Play Store, e.g., XDA).
- Termux (for command-line
sftp
if you prefer).
Similar to iOS, you’ll add a new SFTP connection in the app using your server’s IP, username, password, and port 22.
#Advanced Backup Tip: Using rsync
for Efficiency
For more efficient backups, especially for large files or repeated backups, consider using rsync
over SSH. rsync
only transfers the differences between files, saving time and bandwidth.
Example rsync
command (run on the client machine):
rsync -avz --progress /path/to/local/source/directory/ backupuser@YOUR_SERVER_IP_ADDRESS:/path/to/remote/backup_destination/
-a
: Archive mode (preserves permissions, ownership, timestamps, etc.).-v
: Verbose output.-z
: Compress file data during transfer.--progress
: Show progress during transfer.- Trailing slash on source:
/source/directory/
copies the contents of the directory. Without it,/source/directory
would copy the directory itself into the destination.
You’ll be prompted for the backupuser
’s password unless you’ve set up SSH key-based authentication.
#Security Best Practices for SFTP
- Strong Passwords: Use strong, unique passwords for all user accounts that have SSH/SFTP access.
- Key-Based Authentication (More Secure): For significantly better security, disable password authentication and use SSH key pairs. This involves generating a key pair on the client, copying the public key to
~/.ssh/authorized_keys
on the server for the user, and then settingPasswordAuthentication no
in/etc/ssh/sshd_config
on the server. - Regular Updates: Keep your
openssh-server
package updated:sudo apt-get update sudo apt-get upgrade
- Minimize User Privileges: The
backupuser
created with/usr/sbin/nologin
cannot get an interactive shell, which is good. Only grant write permissions to directories where backups are intended. - Chroot Jail (Advanced): To restrict an SFTP user to only their home directory (or another specific directory) and prevent them from seeing the rest of the server’s filesystem, configure a chroot jail. This involves changes in
/etc/ssh/sshd_config
. Add or modify the following at the end of/etc/ssh/sshd_config
:Match User backupuser ChrootDirectory /home/backupuser # Or your designated chroot path ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Important Chroot Directory Permissions:
- The
ChrootDirectory
path itself (e.g.,/home/backupuser
) and all its parent components must be owned by root and not writable by any other user (e.g., permissions755
orrwxr-xr-x
).# Example if /home/backupuser is the ChrootDirectory sudo chown root:root /home/backupuser sudo chmod 755 /home/backupuser
- Create a subdirectory inside the chroot for the user to write to, and give the SFTP user ownership of this subdirectory:
sudo mkdir /home/backupuser/uploads # Or any name like 'files', 'backups' sudo chown backupuser:backupuser /home/backupuser/uploads sudo chmod 755 /home/backupuser/uploads # Or 700 if only user needs access
After making changes to
sshd_config
, restart the SSH service:sudo systemctl restart sshd
.
- The
- Monitor Logs: Check SSH logs for suspicious activity:
sudo journalctl -u sshd
or examine/var/log/auth.log
.
#Troubleshooting Common SFTP Issues
- Connection Refused:
- SSH Service Not Running: Ensure
sshd
is active on the server:sudo systemctl status sshd
. Start it if needed:sudo systemctl start sshd
. - Incorrect IP Address or Port: Double-check the server’s IP and that you’re using port
22
(unless you’ve changed it). - Network Connectivity: Ensure your client device is on the same network as the server and can reach it (try
ping YOUR_SERVER_IP_ADDRESS
from a client that supports ping).
- SSH Service Not Running: Ensure
- Authentication Failed / Permission Denied (Password):
- Incorrect Username or Password: Verify credentials carefully. Linux passwords are case-sensitive.
- User Account Issues: Ensure the user account exists, is not locked, and has a valid password set on the server.
- Check
/var/log/auth.log
on the server for more detailed error messages.
- Permission Denied (File Transfer):
- Directory Permissions: The SFTP user needs write permissions for the target directory on the server. Use
ls -ld /path/to/target_directory
on the server to check permissions. Usesudo chown backupuser:backupuser /path/to/target_directory
andsudo chmod u+rwx /path/to/target_directory
as needed (adjust group/other permissions as necessary). - Chroot Issues: If you’ve set up a chroot, ensure permissions inside and for the chroot directory are correct as detailed in the “Chroot Jail” section. This is a common point of failure.
- Directory Permissions: The SFTP user needs write permissions for the target directory on the server. Use
- Host Key Verification Failed / Changed Host Key:
- This usually happens if the server’s SSH host key has changed (e.g., after an OS reinstall) or if you’re connecting to a different server that happens to have the same IP address as a previous one.
- Most SFTP clients allow you to remove the old host key for that IP address and accept the new one. For command-line
sftp
orssh
, you might need to edit~/.ssh/known_hosts
on the client machine and remove the line corresponding to your server’s IP.